A Steganography sample malware

[Art]

Regulars here are aware that steganography is a technique
of embedding malicious code in picture image files (and other
files). Such files are themselves harmless since they require
companion active malware to run the embedded code.

The subject sample came in a zip of four files, three JPEGS
and a file named WIN32.EXE. Here's the Virus Total result
for the WIN32.EXE file:
***********************************
AntiVir TR/Crypt.F.Gen
Authentium no virus found
Avast no virus found
AVG no virus found
BitDefender Trojan.Downloader.Small.AMA
CAT-QuickHeal no virus found
ClamAV no virus found
DrWeb Trojan.DownLoader.9540
eTrust-Inoculat no virus found
eTrust-Vet Win32/Vxidl!generic
Ewido Downloader.Tibs.eo
Fortinet no virus found
F-Prot no virus found
Ikarus no virus found
Kaspersky Trojan-Downloader.Win32.Tibs.eo
McAfee 4791 Generic Downloader
Microsoft no virus found
NOD32v2 probably a variant of Win32/TrojanDownloader.Small.AWA
Norman no virus found
Panda Adware/Adsmart
Sophos no virus found
Symantec Trojan.Galapoper.A
TheHacker no virus found
UNA no virus found
VBA32 Trojan.DownLoader.9540
VirusBuster no virus found
************************************
Only Bit Defender and Symantec alerted on the JPEGS.
Bit Defender found Trojan.HideFrog.A in all three
(they are images of a frog )

Symantec alerted as follows:
NT1.JPG W32.Looksky!gen
NT2.JPG Trojan.Desktophijack.B
NT3.JPG Trojan.Jupillites

I'm puzzled that only two products alert on the JPEGS
even though many alert on the (apparently)
companion malware. I would think it important to
alert on the JPEGS as a warning to users to get rid
of them.

I'm also puzzled/curious about the Symantec
alerts.

Here's a McAfee blog with some info on this
malware set:

http://www.avertlabs.com/research/blog/?p=36

BTW, while McAfee alerts on WIN32.EXE as Generic
Downloader, it does not alert on the JPEGS.

Art
http://home.epix.net/~artnpeg

 

[Ian Kenefick]

Only Bit Defender and Symantec alerted on the JPEGS.
Bit Defender found Trojan.HideFrog.A in all three
(they are images of a frog )

Symantec alerted as follows:
NT1.JPG W32.Looksky!gen
NT2.JPG Trojan.Desktophijack.B
NT3.JPG Trojan.Jupillites

I'm puzzled that only two products alert on the JPEGS
even though many alert on the (apparently)
companion malware. I would think it important to
alert on the JPEGS as a warning to users to get rid
of them.

I'm also puzzled/curious about the Symantec
alerts.

Here's a McAfee blog with some info on this
malware set:

http://www.avertlabs.com/research/blog/?p=36

BTW, while McAfee alerts on WIN32.EXE as Generic
Downloader, it does not alert on the JPEGS.

It was interesting yin McAfee's analysis. He mentions that some
analysts would skip over the jpegs thinking they were benign jpegs and
not taking them into consideration in the overall analysis. Of
course... dynamic analysis would show their true functionality. You
wonder how much of this stuff does get 'missed' by virus analysts.

 

[Art]

It was interesting yin McAfee's analysis. He mentions that some
analysts would skip over the jpegs thinking they were benign jpegs and
not taking them into consideration in the overall analysis. Of
course... dynamic analysis would show their true functionality. You
wonder how much of this stuff does get 'missed' by virus analysts.

I've sent the JPEGs to Kaspersky asking why KAV doesn't alert.
Depending on the analyst, I might get a good answer. Sometimes
Eugene himself is the analyst, and if I'm lucky I'll hit paydirt

Art
http://home.epix.net/~artnpeg

 

[kurt wismer]

Regulars here are aware that steganography is a technique
of embedding malicious code in picture image files (and other
files).

minor quibble - steganography is a technique for hiding messages in
other things, it's not just for hiding malware...

[snip]

I'm puzzled that only two products alert on the JPEGS
even though many alert on the (apparently)
companion malware. I would think it important to
alert on the JPEGS as a warning to users to get rid
of them.

think of it as being analogous to the issue of scanning inside of
various types of archives (which i know you're already quite familiar
with)... ultimately the jpegs are just acting as a kind of container...
how good are av apps at scanning inside containers in general and exotic
(ie. non-zip/rar/arj) containers in particular? i seem to recall you
saying something about problems unpacking installation files even (and
one wouldn't normally consider those to be 'exotic')...

 

[Art]

minor quibble - steganography is a technique for hiding messages in
other things, it's not just for hiding malware...

To paraphrase Winston Churchill, "Such errant pedantry up with I shall
not put!". Obviously if malicious code can be embedded in certain
fles, any code can be embedded.

Art
http://home.epix.net/~artnpeg

 

[Art]

think of it as being analogous to the issue of scanning inside of
various types of archives (which i know you're already quite familiar
with)... ultimately the jpegs are just acting as a kind of container...
how good are av apps at scanning inside containers in general and exotic
(ie. non-zip/rar/arj) containers in particular? i seem to recall you
saying something about problems unpacking installation files even (and
one wouldn't normally consider those to be 'exotic')...

Here's a snippet from the blog I referenced where the author responds
to a comment by "Mike":
*******************************************************
And basic X-raying is all that’s required to decrypt these files, for
now anyway.
*******************************************************
Now, I dunno what he means by "basic X-raying" but he makes it
sound as if the decryption in this particular case is straightforward.
Whether he means in a lab only or in a scanner is a question.
Anyway, that's partially why I'm surprised that Kaspersky in
particular isn't alerting. They seem to never shy away from difficult
"unravelling" and "scanning within" all kinds of files. Plus the fact
that it _appears_ that Symantec is effectively decrypting,
and Bit Defender _may_ also be decrypting. As of this moment, I
haven't yet heard back from a Kaspersky analyst. I'm hoping
their response will shed light on my questions.

Art
http://home.epix.net/~artnpeg

 

[Dustin Cook]

I'm puzzled that only two products alert on the JPEGS
even though many alert on the (apparently)
companion malware. I would think it important to
alert on the JPEGS as a warning to users to get rid
of them.

The code contained inside the jpegs isn't functional without something
to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
with hidden code. Code only readable by software that already knows
it's there. I don't think picture viewer will do anything bad if you
decide to look at one.

You could stenagraphy a .gif, .bmp, almost anything that doesn't have
crc checks and/or a hashing table. The catch tho is, your code likely
isn't operational on it's own. A 3rd party will need to come read, and
put you back together in order to run.

I'm also puzzled/curious about the Symantec
alerts.

Here's a McAfee blog with some info on this
malware set:

http://www.avertlabs.com/research/blog/?p=36

BTW, while McAfee alerts on WIN32.EXE as Generic
Downloader, it does not alert on the JPEGS.

I believe BugHunter also picks up win32.exe, but it doesn't alarm on
the jpegs either. And it's not going too....

 

[Art]

The code contained inside the jpegs isn't functional without something
to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
with hidden code. Code only readable by software that already knows
it's there. I don't think picture viewer will do anything bad if you
decide to look at one.

Of course it doesn't but that's beside the point.

You could stenagraphy a .gif, .bmp, almost anything that doesn't have
crc checks and/or a hashing table. The catch tho is, your code likely
isn't operational on it's own. A 3rd party will need to come read, and
put you back together in order to run.

Yep, and that's exactly why I think the .JPGs should be detected.

I believe BugHunter also picks up win32.exe, but it doesn't alarm on
the jpegs either. And it's not going too....

Too bad. It would be a useful detection IMO.

Art
http://home.epix.net/~artnpeg

 

[Dustin Cook]

Of course it doesn't but that's beside the point.

I'm lost then.
Steganography is the art and science of writing hidden messages in such
a way that no one apart from the intended recipient knows of the
existence of the message; this is in contrast to cryptography, where
the existence of the message itself is not disguised, but the content
is obscured.

Yep, and that's exactly why I think the .JPGs should be detected.

Ehm... You do realize the growing possibility of false alarms if we
have antivirus/malware products trying to guess if something has a
hidden bit of code in a jpeg right?

That's alot of signatures.

Too bad. It would be a useful detection IMO.

I would tend to disagree...

 

[Art]

I'm lost then.
Steganography is the art and science of writing hidden messages in such
a way that no one apart from the intended recipient knows of the
existence of the message; this is in contrast to cryptography, where
the existence of the message itself is not disguised, but the content
is obscured.

In this case they use JPG steganogrophy to hide malicious code in
JPGs. Companion malware is required to decrypt and run the malicious
code.

Ehm... You do realize the growing possibility of false alarms if we
have antivirus/malware products trying to guess if something has a
hidden bit of code in a jpeg right?

I don't know that av have to "guess" (use heuristics only). It doesn't
appear that Symantec is detecting heuristically since it gives exact
IDs (and different ones) on three different JPG files.

That's alot of signatures.

Hell, signatures are balooning outa sight anyway What's a few
more?

I would tend to disagree...

I'd say informing the user of the infested JPG which might be
used by the companion malware at any point is important. I'd
say it's more important than wasting sigs as some do on
commercial sw which might be used for nefarious purposes.
I'd go so far as to say it's more important than flagging
harmless adware that's merely annoying. After all, we're
talking here about some nasty downloader Trojans.

Art
http://home.epix.net/~artnpeg

 

[Dustin Cook]

I don't know that av have to "guess" (use heuristics only). It doesn't
appear that Symantec is detecting heuristically since it gives exact
IDs (and different ones) on three different JPG files.

Nah, your right, they're using sigs. The malware isn't really keen on
the process, IE: it's fixed, or appears to be.

Hell, signatures are balooning outa sight anyway What's a few
more?

How very true, and quiet saddening.

I'd say informing the user of the infested JPG which might be
used by the companion malware at any point is important. I'd
say it's more important than wasting sigs as some do on
commercial sw which might be used for nefarious purposes.
I'd go so far as to say it's more important than flagging
harmless adware that's merely annoying. After all, we're
talking here about some nasty downloader Trojans.

Fair enough Art, You've convinced me to hunt down the frog jpegs and
add them to bughunter...Although, I still maintain they are harmless
without win32.exe....

 

[edgewalker]

It was interesting yin McAfee's analysis. He mentions that some
analysts would skip over the jpegs thinking they were benign jpegs and
not taking them into consideration in the overall analysis. Of
course... dynamic analysis would show their true functionality. You
wonder how much of this stuff does get 'missed' by virus analysts.

The only "threat" is the executable. The same old story as before regarding
jpg viruses - something "else" has to be amiss. True, they should include it
in the cleanup, but it is not really necessary.

 

[edgewalker]

To paraphrase Winston Churchill, "Such errant pedantry up with I shall
not put!". Obviously if malicious code can be embedded in certain
fles, any code can be embedded.

What he's getting at is not only code but "information" gets embedded. Your
statement sounded too much like a wromg definition of steganography.

 

[Art]

Fair enough Art, You've convinced me to hunt down the frog jpegs and
add them to bughunter...

No need to hunt. Just let me know if you want me to send
them to you. And no, I'm not a malware spreader. I trust
you aren't either any more

Although, I still maintain they are harmless
without win32.exe....

Of course. Or some other suitable malware the mob in Russia
is cranking out that also works with these paticular JPG files.

Art
http://home.epix.net/~artnpeg

 

[4Q]

The code contained inside the jpegs isn't functional without something
to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
with hidden code. Code only readable by software that already knows
it's there. I don't think picture viewer will do anything bad if you
decide to look at one.

Raidy an exception to the rule maybe Minders .bmp IRC worm
His code was contained inside the .bmp file and looked like
a little bit of random noise inside a viewer, however his
worm was also a weak SE trick and the picture contained a
message asking the user to rename the .bmp to a .com
Then it operated as a normal wormoid.

Bit lame as an ITW example but hey nice example of a hax0r
thinking outside the box.

4Q

 

[edgewalker]

On 23 Jun 2006 08:11:24 -0700, "Dustin Cook"


Too bad. It would be a useful detection IMO.

Do you want to look in *everything* for *anything*? Think of the cost.

 

[Art]

What he's getting at is not only code but "information" gets embedded. Your
statement sounded too much like a wromg definition of steganography.

Woe to me

Art
http://home.epix.net/~artnpeg

 

[Art]

Do you want to look in *everything* for *anything*? Think of the cost.

See my reply to Dustin concerning that. Think of the cost of all the
sigs nowdays for harmless adware, cookies, and controversialware.

Art
http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>

| Regulars here are aware that steganography is a technique
| of embedding malicious code in picture image files (and other
| files). Such files are themselves harmless since they require
| companion active malware to run the embedded code.

| The subject sample came in a zip of four files, three JPEGS
| and a file named WIN32.EXE. Here's the Virus Total result
| for the WIN32.EXE file:
| ***********************************
| AntiVir TR/Crypt.F.Gen
| Authentium no virus found
| Avast no virus found
| AVG no virus found
| BitDefender Trojan.Downloader.Small.AMA
| CAT-QuickHeal no virus found
| ClamAV no virus found
| DrWeb Trojan.DownLoader.9540
| eTrust-Inoculat no virus found
| eTrust-Vet Win32/Vxidl!generic
| Ewido Downloader.Tibs.eo
| Fortinet no virus found
| F-Prot no virus found
| Ikarus no virus found
| Kaspersky Trojan-Downloader.Win32.Tibs.eo
| McAfee 4791 Generic Downloader
| Microsoft no virus found
| NOD32v2 probably a variant of Win32/TrojanDownloader.Small.AWA
| Norman no virus found
| Panda Adware/Adsmart
| Sophos no virus found
| Symantec Trojan.Galapoper.A
| TheHacker no virus found
| UNA no virus found
| VBA32 Trojan.DownLoader.9540
| VirusBuster no virus found
| ************************************
| Only Bit Defender and Symantec alerted on the JPEGS.
| Bit Defender found Trojan.HideFrog.A in all three
| (they are images of a frog )

| Symantec alerted as follows:
| NT1.JPG W32.Looksky!gen
| NT2.JPG Trojan.Desktophijack.B
| NT3.JPG Trojan.Jupillites

| I'm puzzled that only two products alert on the JPEGS
| even though many alert on the (apparently)
| companion malware. I would think it important to
| alert on the JPEGS as a warning to users to get rid
| of them.

| I'm also puzzled/curious about the Symantec
| alerts.

| Here's a McAfee blog with some info on this
| malware set:

| http://www.avertlabs.com/research/blog/?p=36

| BTW, while McAfee alerts on WIN32.EXE as Generic
| Downloader, it does not alert on the JPEGS.

| Art
| http://home.epix.net/~artnpeg

Hi Art:

I see a nice thread came from this

I orginally received from Symantec the following...

We have analyzed your submission. The following is a report of our findings for each file
you have submitted:

filename: nt1.jpg
machine: AVCAutomation:
result: See the developer notes

filename: nt2.jpg
machine: AVCAutomation:
result: See the developer notes

filename: nt3.jpg
machine: AVCAutomation:
result: See the developer notes

Developer notes:
nt1.jpg is an image file that contains virus. You should delete this file.
nt2.jpg is an image file that contains virus. You should delete this file.
nt3.jpg is an image file that contains virus. You should delete this file.

-----

I was asking myself "What Virus" ? They didn't identify anything !

Now on another batch...

Symantec is calling the submitted JPEGs -- Trojan.Frogexer!gen.

filename: proxy.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

filename: tibs.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

filename: jpg.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

filename: tool.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

filename: winlogon.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

 

[edgewalker]

Now, I dunno what he means by "basic X-raying"

If you're interested - "pferrie.tripod.com/vb/x-raying.pdf" I believe it is FTP
protocol.